Mike on Security

Steve Gibson’s SQRL is not really new

With a loud buzz, Steve Gibson has eventually announced a “comprehensive, easy-to-use, high security replacement for usernames, passwords, reminders, one-time-code authenticators … and everything else.”

But what is this new SQRL really about? Basically, a website can display a QR code, which a user can scan with their mobile phone. The QR code contains a callback-URL, and a nonce. The user has some private information in his cell phone, and uses that to “sign” (in the broadest term) the nonce. Then the nonce is sent to the callback URL, and the website can be sure that the user was in possession of a (potentially shared) secret.

This is a classic out of band authentication scheme. However, although Gibson celebrates this idea (and himself) as if this was the best invention since sliced bread, it really is not.

When I was still working at Tubingen University, a fellow researcher group worked on a similar solution as what Gibson proposed. Their implementation has been in production for quite a while at http://www.ekaay.com.

The “eKaay” implementation requires pre-registration, but it could fully emulate Gibson’s SQRL by using dynamic provisioning, which is a well-established approach in identity management.

As a side note, I find it quite astonishing that the GUI in Gibson’s demo / prototype looks exactly like the eKaay login screen…

But this is not where the prior art ends: Gibson announces that the component techniques and technologies employed by this solution are all well known, well tested, well understood, unencumbered by patents, and exist in the public domain. This is, however, not true! There are several patents protecting this technology, one of them granted to Pedro Celis De La Hoz and Juan Jesus Leon Cobos.

Note that there is a lot more IP and related patents in this area!

Hence, although Gibson generously donates his re-invention of the wheel to the public domain, his “SQRL” scheme is covered by existing patents, and is neither free to use, nor generally available. It should not be used without potentially expecting legal trouble.

I recommend to do extensive prior art research before making such announcements that can get people who believe these announcements into serious trouble.

I think that Mike’s point is that one cannot simply take some technology and then claim it as their own because one does not like the licensing or marketing model. If the scheme is patented and has been commercially operated for years, rebranding it does not magically turn it into open source.

Just read the referenced patents, they describe the process pretty well. What additional documentation are you looking for? ekaay even has an implementation in php, look at the code if you want to know how it works.

I don’t really think it’s fair to say he’s ripping off the interface when it’s just a login screen with a QR code next to it.

Do you know for a fact that it’s not just a third party authorization company, where the app sees the QR code, adds user data and sends it to the site? Is it a public private keypair controlled by the user?

Benny, this particular implementation is very similar to what Gibson proposed. I don’t say that he ripped off the interface – but “his” idea and implementation are so similar to the existing prior art that even the interface looks exactly the same.

I still find it mind boggling that Gibson claims this technology as “his invention” when there already are so many other implementation out there (not only eKaay). And claiming that “his idea” is open source, but at the same time knowing very well (because people told him!) that the technology has been patented a long time ago is not only rude, but also a dangerous trap in which he is leading the people that believe his claims and actually implement it.